Seminar & Events

Upcoming events

Recent Progress in Leakage-Resilient Cryptography

11:00am Monday June 25th 2012, Campus Kirchberg E212, seminar held by Yevgeniy Dodis, New York University

I will survey selected recent advances in the field of Leakage-Resilient Cryptography. This booming area is concerned with the design of cryptographic primitives resistant to arbitrary side-channel attacks, where an attacker can repeatedly and adaptively learn information about the secret key, subject only to the constraint that the overall amount of such information is somehow "bounded", so that not the entire secret key is leaked. I will start by surveying recent results in the so called Bounded Leakage Model, where the overall leakage is bounded by some parameter L, and the goal is to make L large relative to the length of the secret key. Then, I will move to the Bounded Retrieval Model, which ensures that the complexity of the scheme is independent of the leakage bound L (e.g., it does not increase when the leakage parameter _L grows). Finally, I briefly mention the more advanced Continuous Leakage-Model, where the secret key is periodically refreshed (public key is fixed!), and the amount of leakage is only bounded in between successive refreshes, but is unbounded overall. Most of the covered material can be found in the survey available here: http://cs.nyu.edu/~dodis/ps/brm.ps

In this thesis we consider different problems related to provable security and in- differentiability framework. Ideal primitives such as random oracles, ideal ciphers are theoretical abstractions of cryptographic hash functions and block ciphers respectively. These idealized models help us to argue security guarantee for various cryptographic schemes, for which standard model security proofs are not known. In the first part of this thesis we consider the problems related to ideal primitive construction starting from a different ideal primitive. We adopt the indifferentiability framework proposed by Maurer et. al. in TCC’04 for this purpose. The indifferentiability framework helps us to preserve the security guarantee of cryptographic schemes when the ideal primitives are replaced by indifferentiable constructions, even when the ideal primitives are used in a public manner.

At first, we consider the problem of ideal cipher domain extension. We show the 3-round Feistel construction, built using n-bit ideal ciphers are actually indif- ferentiable from a 2n-bit ideal cipher. We also consider other related issues such as, why 2-round Feistel is not sufficient, security analysis in standard indistinguishability model for both 2 and 3 round constructions, etc. Afterwards, we consider the open problem: whether 6-round Feistel construction using random round functions is indifferentiable from a random invertible permutation or not. We give a partial positive answer to this question. We show the construction is actually publicly- indifferentiable (which is a restricted version of full indifferentiability) from an invertible random permutation.

In the later part of the thesis, we concentrate on some issues related to the security of Probabilistic Signature Scheme (PSS). PSS with RSA trapdoor is a widely deployed randomized signature scheme. It is known to be secure in Random Oracle model. However, recently randomized signature scheme such as ISO/IEC 9796-2 is shown to be susceptible to hardware fault attacks. In this work we show, PSS is actually secure against random fault attacks in random oracle model. Afterwards, we consider the open problem related to standard model security of PSS. We give a general negative result in this direction. We rule out existence of any black box proof technique showing security of PSS in standard model.

Power Analysis of Threefish and Countermeasures - Jean-Francois Gallais

Threefish is a tweakable block cipher derived from the Skein hash function, which was submitted to NIST's SHA-3 competition and reached the last round of the selection. It solely relies on ARX instructions for fast and constant-time execution of the routine. The aim of this work is threefold: (1) to devise and experiment specific power analysis methods for the modular addition; (2) to study and compare the side-channel resistance of the cipher through power analysis of the modular addition; (3) to circumvent the weaknesses observed by putting forward a first-order DPA resistant implementation.

Tor is a widely used anonymity network providing low-latency communication capabilities. Around 400,000 users per day use Tor to route TCP traffic through a sequence of relays; three hops are selected from a pool of currently almost 3000 volunteer-operated Tor relays to comprise a route through the network for a limited time. In comparison to single- hop proxies, forwarding TCP streams through multiple relays increases the anonymity of the users significantly: each hop along the route only knows its successor and predecessor. The anonymity provided by Tor heavily relies on the hardness of linking a user's entry and exit nodes. If an attacker gains access to the topological information about the Tor network instead of having to consider the network as a fully connected graph, this anonymity may be reduced. In fact, we have found ways to probe the connectivity of a Tor relay. We demonstrate how the resulting leakage of the Tor network topology can be used and present attacks to trace back a user from an exit relay to a small set of potential entry nodes.

A Practical Leakage-Resilient Signature Scheme in the Generic Group Model - Srinivas Vivek

We propose a leakage-resilient signature scheme in the Only Computation Leaks Information model that is based on a well-known identity-based encryption scheme by Boneh and Boyen (Eurocrypt 2004). The proposed signature scheme is the most efficient among the existing leakage-resilient proposals in the continual leakage model. Its efficiency matches that of most non leakage-resilient pairing-based signature schemes. It tolerates leakage of almost half of the bits of the secret key at every new signature invocation. We prove the security of the new scheme in the generic bilinear group model.

CryptoLux/LACS PhD Days March 28

On the Public Indifferentiability and Correlation Intractability of the 6-Round Feistel Construction - Avradip Mandal

We show that the Feistel construction with six rounds and random round functions is publicly indifferentiable from a random invertible permutation (a result that is not known to hold for full indifferentiability). Public indifferentiability pub-indifferentiability for short) is a variant of indifferentiability introduced by Yoneyama et al. and Dodis et al. where the simulator knows all queries made by the distinguisher to the primitive it tries to simulate, and is useful to argue the security of cryptosystems where all the queries to the ideal primitive are public (as e.g. in many digital signature schemes). To prove the result, we introduce a new and simpler variant of indifferentiability, that we call sequential indifferentiability seq-indifferentiability for short) and show that this notion is in fact equivalent to pub-indifferentiability for stateless ideal primitives. We then prove that the 6-round Feistel construction is seq-indifferentiable from a random invertible permutation. We also observe that sequential indifferentiability implies correlation intractability, so that the Feistel construction with six rounds and random round functions yields a correlation intractable invertible permutation, a notion we define analogously to correlation intractable functions introduced by Canetti et al.

Conversion of Security Proofs from One Model to Another: A New Issue - Praveen Kumar Vadnala

To guarantee the security of a cryptographic implementation against Side Channel Attacks, a common approach is to formally prove the security of the corresponding scheme in a model as pertinent as possible. Nowadays, security proofs for masking schemes in the literature are usually conducted for models where only the manipulated data are assumed to leak. However in practice, the leakage is better modeled encompassing the memory transitions as e.g. the Hamming distance model. From this observation, a natural question is to decide at which extent a countermeasure proved to be secure in the first model stays secure in the second. In this paper, we look at this issue and we show that it must definitely be taken into account. Indeed, we show that a countermeasure proved to be secure against second-order side-channel attacks in the first model becomes vulnerable against a first-order side-channel attack in the second model. Our result emphasize the issue of porting an implementation from devices leaking only on the manipulated data to devices leaking on the memory transitions. Joint work with: Jean-Sebastien Coron, Christophe Giraud, Emmanuel Prouff, Soline Renner, Matthieu Rivain

Censorship and Tor network

2:15pm Friday February 10 2012, Campus Kirchberg, Main building room B02, LACS/SnT seminar held by Jacob Applebaum, University of Washington Security and Privacy lab

Are you interested in how governments and corporations attempt to censor access to the Tor network? Wonder what protocol fingerprints are actually used as protocol distinguishers? This talk will cover some real world examples that the Tor network faces and it will discuss deployed solutions; hopefully we'll have lots of room for discussion for future development.

Jacob Appelbaum ( http://en.wikipedia.org/wiki/Jacob_Appelbaum ) is a renowned independent internet security professional, accomplished photographer, software hacker and world traveller. A developer for The Tor Project, Appelbaum trains interested parties globally on how to effectively use and contribute to the Tor network. Since its initial release, Tor has enabled roughly 36 million people around the world to experience freedom of access and expression on the Internet while keeping them in control of their privacy and anonymity. Its network has proved pivotal in dissident movements in both Iran and more recently Egypt.

A driving force in the team behind the creation of the Cold Boot Attacks, Appelbaum won both the Pwnie for Most Innovative Research award and the Usenix Security best student paper award in 2008. Additionally, he was part of the MD5 Collisions Inc. team that created a rogue CA certificate by using a cluster of 200 PlayStations funded by the Swiss taxpayers. The "MD5 considered harmful today" research was awarded the best paper award at CRYPTO 2009.

He is also a staff research scientist at the University of Washington Security and Privacy lab. Appelbaum is also a founding member of the hacklab Noisebridge in San Francisco where he indulges his interests in magnetics, cryptography and consensus based governance.